Firefox Enables DNS over HTTPS

Mozilla created a bit of controversy today by enabling DNS over HTTPS by default in the United States.

DoH will encrypt DNS traffic from clients (browsers) to resolvers through HTTPS so that users’ web browsing can’t be intercepted or tampered with by someone spying on the network. The resolvers we’ve chosen to work with so far – Cloudflare and NextDNS – have agreed to be part of our Trusted Recursive Resolver program. The program places strong policy requirements on the resolvers and how they handle data. This includes placing strict limits on data retention so providers- including internet service providers – can no longer tap into an unprotected stream of a user’s browsing history to build a profile that can be sold, or otherwise used in ways that people have not meaningfully consented to. We hope to bring more partners into the TRR program.

I agree with Bruce Schneier that this “is a great idea, and long overdue.”

A lot of the criticism of DNS over HTTPS is reminiscent of the criticism over TLS 1.3. Enterprises took advantage of poor security in DNS and TLS 1.2 to manage their networks, which is understandable. But we shouldn’t kneecap the security of the 3.2 billion people worldwide who use the Internet in favor of special interests.

A lot of that criticism also involves “experts” talking out of both sides of their mouths. For example, Caitlin Cimpanu offers contradictory complaints in ZDNet that, on the one hand, DoH doesn’t prevent ISPs or other network providers from tracking users.

But, in the same article, Cimpanu argues that DoH bypasses enterprise policies because it makes it impossible for those enterprises to track users.

NoScript Anywhere

NoScript Anywhere is the excellent NoScript Firefox addon retooled to make it easy for porting to Firefox for Android, Maemo and other platforms:

NoScript 3.x is implemented as a restartless add-on for Firefox Mobile, meant to explore the issues and the challenges posed by the Electrolysis multiprocessing architecture to a NoScript porting.

It also features a new page permission editing UI, specifically redesigned for smartphone usage and easily accessible by tapping on a navigation bar icon.

Once installed (with no need to restart the browser), it blocks every script and embedded object (plugin content and iframes) unless the loading resource is whitelisted.

NSA’s whitelist is implemented as a JSON map, having domains or URL prepath components as its keys and custom permission sets (or reference to the TRUSTED and UNTRUSTED predefined permission sets) as its values (references are serialized as 0 for UNTRUSTED and 1 for TRUSTED).

There developer also has plans to use Firefox Sync to sync NoScript settings across platforms. That would be awesome.

Firefox for Android to Implement Native UI

So Firefox on Android is going to go native with its user interface:

The problem, however, is that interpreting and painting at the application level adds an unwanted overhead, which usually goes unnoticed on most modern desktop and laptop computers, but becomes a bottleneck in resource constrained devices like cell phones and tablets. Native widgets are handled by Android directly so it doesn’t require additional translation or memory to map how to draw them.

Faster startup, less memory consumption, and improved responsiveness are some of the expected benefits of such a move,which is not free of important new challenges, most notably: localization and add-ons support, both of which are completely XUL-oriented.

I like the Firefox browser on Android, but it crashes and randomly restarts so often, it is essentially unusable for me. Hopefully this planned change will actually make the browser useful.